Going beyond Encryption, explicit credential management will provide credentials to your builds for a brief amount of time, without being persisted anywhere. It also allows for credentials to be rotated and managed external to the pipeline or team, and prevents them from being revealed by
Credential management works by replacing the credentials with
((vars)) in your pipeline or task config. When the Concourse is about to run the step or
check that is configured with vars, it will resolve them by fetching the values from the credential manager. If the values are not present, the action will error.
The following configurations can be parameterized with a credential manager:
paramson a task step in a pipeline
Where these values are looked up and how the credential manager is configured depends on the backend. Consult the relevant section below for whichever backend you want to use.
- 220.127.116.11 The Vault credential manager
- 18.104.22.168 The CredHub credential manager
- 22.214.171.124 The AWS SSM credential manager
- 126.96.36.199 The AWS Secrets Manager credential manager
- 188.8.131.52 Kubernetes Credential Manager
- 184.108.40.206 Caching credentials
- 220.127.116.11 Redacting credentials
- 18.104.22.168 Retrying failed fetches